A Super Fishy Situation

19 February 2015 by Jenn Granger

It all hit the fan for Lenovo this morning, after the tech company came under fire for installing adware on new consumer laptops in 2014; adware that could potentially also leave users vulnerable to attack. The software from Superfish injects third party ads on Google and other sites, whether you want it there or not. Lenovo now says it’s stopped installing the adware, but that may not be the end of it.

Adware is a software package that automatically inserts ads onto a user’s OS pages – usually so that the installer can make some fast cash from it. On the Lenovos it’s installed on it seems to affect Chrome and IE; but word on the street is that Mozilla Firefox isn’t affected as it maintains its own certificate store.

It all gets even more worrying as Superfish’s adware intercepts encrypted traffic in order to stick ads in people’s pages – what is otherwise known as a man-in-the-middle attack. This means that Superfish installs its own self-signed certificate authority; and because it’s established as its own root certificate authority (sort of like the original, trusted certificate that signs off all the others between the original and the site you’re on), it can impersonate any level of security certificate.

This morning Robert Graham of Erratasec extracted the certificate and cracked the private key (the password that encrypted it), which means – because the private key used to sign the certificate is the same on every machine – that with this key you could potentially go to a coffee shop, jump on the shared wi-fi, find someone with a recent Lenovo and then intercept their communications.

In January Mark Hopkins, a Lenovo community admin, issued this statement: “We have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already on the market, we have requested that Superfish auto-update a fix that addresses these issues.”

He defended the original decision to use the adware, saying that it “helps users find and discover products visually” and “instantly analyzes images on the web and presents identical and similar product offers that may have lower prices.” He also maintains that you can refuse the Superfish Ts&Cs when setting up a laptop, which means the software won’t be installed.

Whilst Lenovo maintains it doesn’t record user info or anything like that, it seems most antivirus software apparently identifies Superfish as adware and advises that it should be removed.

Lenovo has now confirmed that it won’t reinstall the software in the future; ultimately though, it means that if you have a consumer Lenovo computer that was released in 2014, then you could be at risk. Lenovo gave the following advice to get rid of it:

Go to Control Panel > Uninstall a Program

Select Visual Discovery > Uninstall

However, security experts say that this doesn’t remove the certificate, so a fresh install of Windows is advised. If you’re unable to do this, they suggest:

Searching for “Certificate Manager” on your machine

Navigating to Current User\Trusted Root Certificate Authority

Looking for the Superfish certificate, right clicking and deleting

Others are saying that more fixes will come, so keep an eye on Twitter and security sites, but to avoid public wi-fi in the meantime.

For information on our security solutions take a look at our website or give us a call on 0208 045 4945.